System and method for controlling a postage metering system using data required for printing

ABSTRACT

A method for controlling a postage metering system ( 1 ) defines a first set of postage parameters P 1 , P 2 , P 3  to Pn associated with the generation of postage evidence in a postage metering system ( 10 ) and then initializes the postage metering system ( 10 ) with a subset of the first set of postage parameters F 1 , F 2 , F 3  to Fn. The subset F 1 , F 2 , F 3  to Fn defines a combination of the postage parameters for which the generation of postage evidence is not authorized. When a request for postage evidence is received, the request includes a second set of postage parameters P 1 , P 2 , P 3  to Pn that are combined to form a postage parameter vector (PPV). The generation of postage evidence is inhibited when at least one of the postage parameters P 1 , P 2 , P 3  to Pn in the second set matches one of the postage parameters in the first set F 1 , F 2 , F 3  to Fn. When none of the postage parameters P 1 , P 2 , P 3  to Pn in the second set matches one of the postage parameters in the first set F 1 , F 2 , F 3  to Fn the requested postage evidence is generated. In an alternative method the subset defines a combination of the postage parameters for which the generation of postage evidence is authorized, and the requested postage evidence is generated when each of the postage parameters in the first set matches one of the postage parameters in the second set.

RELATED APPLICATIONS

This is a continuation-in-part application of U.S. Provisional PatentApplication Ser. No. 60/049,518, filed Jun. 13, 1997, now abandoned, andassigned to the assignee of the present invention.

The present application is related to the following U.S. patentapplications Ser. Nos. 09/242,210; 09/242,209; 09/242,206; 09/242,205and 09/242,207, all being assigned to the assignee of the presentinvention, all of which are incorporated herein by reference in theirentirety.

TECHNICAL FIELD

The present invention relates generally to a postage metering system andmethod for evidencing postage payment in an open system and, moreparticularly, to a postage metering system and method for evidencingpostage payment in a virtual meter configuration.

BACKGROUND ART

Postage metering systems have been developed which employ encryptedinformation that is printed on a mailpiece as part of an indiciumevidencing postage payment. The encrypted information includes a postagevalue for the mailpiece combined with other postal data that relate tothe mailpiece and the postage meter printing the indicium. The encryptedinformation, typically referred to as a digital token or a digitalsignature, authenticates and protects the integrity of information,including the postage value, imprinted on the mailpiece for laterverification of postage payment. Since the digital token incorporatesencrypted information relating to the evidencing of postage payment,altering the printed information in an indicium is detectable bystandard verification procedures. Examples of systems that generate andprint such indicium are described in U.S. Pat. Nos. 4,725,718,4,757,537, 4,775,246 and 4,873,645, each assigned to the assignee of thepresent invention.

Presently, there are two postage metering device types: a closed systemand an open system. In a closed system, the system functionality issolely dedicated to metering activity. Examples of closed systemmetering devices, also referred to as postage evidencing devices,include conventional digital and analog (mechanical and electronic)postage meters wherein a dedicated printer is securely coupled to ametering or accounting function. In a closed system, typically theprinter is securely coupled and dedicated to the meter, and printingevidence of postage cannot take place without accounting for theevidence of postage. In an open system, the printer is not dedicated tothe metering activity, freeing system functionality for multiple anddiverse uses in addition to the metering activity. Examples of opensystem metering devices include personal computer (PC) based deviceswith single/multi-tasking operating systems, multi-user applications anddigital printers. An open system metering device is a postage evidencingdevice with a non-dedicated printer that is not securely coupled to asecure accounting module. An open system indicium printed by thenon-dedicated printer is made secure by including addressee informationin the encrypted evidence of postage printed on the mailpiece forsubsequent verification. See U.S. Pat. Nos. 4,725,718 and 4,831,555,each assigned to the assignee of the present invention.

The United States Postal Service (“USPS”) has proposed anInformation-Based Indicia Program (“IBIP”), which is a distributedtrusted system to retrofit and augment existing postage meters using newevidence of postage payment known as information-based indicia. Theprogram relies on digital signature techniques to produce for eachenvelope an indicium whose origin can be authenticated and contentcannot be modified. IBIP is expected to support new methods of applyingpostage in addition to the current approach, which typically relies on apostage meter to print indicia on mailpieces. IBIP requires printing alarge, high density, two-dimensional (“2-D”) bar code on a mailpiece.The 2-D bar code encodes information and is signed with a digitalsignature.

The USPS has published draft specifications for IBIP. The INFORMATIONBASED INDICIA PROGRAM (IBIP) INDICIUM SPECIFICATION, dated Jun. 13,1996, and revised Jul. 23, 1997, (“IBIP Indicium Specification”) definesthe proposed requirements for a new indicium that will be applied tomail being created using IBIP. The INFORMATION BASED INDICIA PROGRAMPOSTAL SECURITY DEVICE SPECIFICATION, dated Jun. 13, 1996, and revisedJul. 23, 1997, (“IBIP PSD Specification”) defines the proposedrequirements for a Postal Security Device (“PSD”), which is a secureprocessor-based accounting device that dispenses and accounts for postalvalue stored therein to support the creation of a new “informationbased” postage postmark or indicium that will be applied to mail beingprocessed using IBIP. The INFORMATION BASED INDICIA PROGRAM HOST SYSTEMSPECIFICATION, dated Oct. 9, 1996, defines the proposed requirements fora host system element of IBIP (“IBIP Host Specification”). IBIP includesinterfacing user, postal and vendor infrastructures which are the systemelements of the program. The INFORMATION BASED INDICIA PROGRAM KEYMANAGEMENT PLAN SPECIFICATION, dated Apr. 25, 1997, defines thegeneration, distribution, use and replacement of the cryptographic keysused by the USPS product/service provider and PSDs (“IBIP KMSSpecification”). The specifications are collectively referred to hereinas the “IBIP Specifications”.

The IBIP Specifications define a stand-alone open metering system,referred to herein as a PC Meter comprising a PSD coupled to a personalcomputer (“PC”) which operates as a host system with a printer coupledthereto (“Host PC”). The Host PC runs the metering application softwareand associated libraries (collectively referred to herein as “HostApplications”) and communicates with one or more attached PSDs. The PCMeter can only access PSDs coupled to the Host PC. There is no remotePSD access for the PC Meter.

The PC Meter processes transactions for dispensing postage, registrationand refill on the Host PC. Processing is performed locally between theHost PC and the PSD coupled thereto. Connections to a Data Center, forexample for registration and refill transactions, are made locally fromthe Host PC through a local or network modem/internet connection.Accounting for debits and credits to the PSD is also performed locally,logging the transactions on the Host PC. The Host PC may accommodatemore than one PSD, for example supporting one PSD per serial port.Several applications programs running on the Host PC, such as a wordprocessor or an envelope designer, may access the Host Applications.

The IBIP Specifications do not address an IBIP open metering system on anetwork environment. However, the specifications do not prohibit such anetwork-based system. Generally, in a network environment a networkServer controls remote printing requested by a Client PC on the network.Of course, the Client PC controls any local printing.

One version of a network metering system, referred to herein as a“virtual meter”, has many Host PCs without any PSDs coupled thereto. TheHost PCs run Host Applications, but all PSD functions are performed onServer(s) located at a Data Center. The PSD functions at the Data Centermay be performed in a secure device attached to a computer at the DataCenter, or may be performed in the Data Center computer itself. The HostPCs must connect with the Data Center to process transactions such aspostage dispensing, meter registration, or meter refills. Transactionsare requested by the Host PC and sent to the Data Center for remoteprocessing. The transactions are processed centrally at the Data Centerand the results are returned to the Host PC. Accounting for funds andtransaction processing are centralized at the Data Center. See, forexample, U.S. Pat. Nos. 5,454,038 and 4,873,645, which are assigned tothe assignee of the present invention.

The virtual meter does not conform to all the current requirements ofthe IBIP Specifications. In particular, the IBIP Specifications do notpermit PSD functions to be performed at the Data Center. However, it isunderstood that a virtual meter configuration with each user's PSDlocated at the Data Center may provide an equivalent level of securityas required by the IBIP Specifications.

In conventional closed system mechanical and electronic postage meters asecure link is required between printing and accounting functions. Forpostage meters configured with printing and accounting functionsperformed in a single, secure box, the integrity of the secure box ismonitored by periodic inspections of the meters. More recently, digitalprinting postage meters typically include a digital printer coupled to ametering (accounting) device, which is referred to herein as a postalsecurity device (PSD). Digital printing postage meters have removed theneed for physical inspection by cryptographically securing the linkbetween the accounting and printing mechanisms. In essence, new digitalprinting postage meters create a secure point to point communicationlink between the PSD and print head. See, for example, U.S. Pat. No.4,802,218, issued to Christopher B. Wright et al. and now assigned tothe assignee of the present invention. An example of a digital printingpostage meter with secure print head communication is the Personal PostOffice™ manufactured by Pitney Bowes Inc. of Stamford, Conn.

In U.S. Pat. Nos. 4,873,645 and 5,454,3,038, a virtual metering systemand method are disclosed wherein the postal accounting and tokengeneration occur at a data center remote from the postage evidencingprinter. Although the Data Center may be a secure facility, there remaincertain inherent security issues since the accounting and tokengeneration functions do not occur in a secure device local to thepostage printer. The virtual postage metering system includes a computercoupled to an unsecured printer and to a remote data metering system.The postal accounting and the token generation occur at the Data Center.

Heretofore, for conventional postage meters, limiting physical access toa postage meter controlled use of the postage meter. It is known that apassword system further controls use of the postage meter by requiring auser to enter an authorized password to activate the postage meter. Withthe advent of open metering systems, such as PC, network and virtualpostage metering systems, limiting physical access is no longer aneffective control. Although the metering device, such as the PSD, may belocated remote from users, the users can dispense postage from theirdesks using their personal computers. Although password control providessome control, passwords are susceptible to being compromised wherebyunauthorized dispensing of postage is likely.

DISCLOSURE OF THE INVENTION

It has been found that postage meter users, i.e. mailers, caneffectively control postage disbursement by restricting the printing ofpostage evidencing with predetermined combinations of parametersrequired for the computation of authentication digital tokens. In doingso, the present invention minimizes unauthorized use of a postage meterand limits financial exposure of the owners of the virtual postagemetering system accounts.

It has further been found that the present invention provides a methodfor customizing authorized use of a postage metering system wherebydifferent users of the postage metering system may have different levelsof authorized use. A further benefit of the present invention is thatuse of the postage metering system can be customized so that certaintypes or numbers of postage dispensing occur on defined days.

In accordance with the present invention, a postage metering system isprogrammed with postage parameter vectors each defining a set ofparameters that must be present for the postage metering system todispense postage. For each requested transaction, if any parameter of apostage parameter vector is out of range or missing, virtual postagemetering system is disabled for the requested transaction.

In accordance with the present invention, a method for controlling apostage metering system defines a first set of postage parametersassociated with the generation of postage evidence in a postage meteringsystem and then initializes the postage metering system with a subset ofthe first set of postage parameters. The subset defines a combination ofthe postage parameters for which the generation of postage evidence isnot authorized. When a request for postage evidence is received, therequest includes a second set of postage parameters. The generation ofpostage evidence is inhibited when at least one of the postageparameters in the second set matches one of the postage parameters inthe first set. When none of the postage parameters in the second setmatches any of the postage parameters in the first set the requestedpostage evidence is generated. In an alternate method the subset definesa combination of the postage parameters for which the generation ofpostage evidence is authorized, and the requested postage evidence isgenerated when each of the postage parameters in the first set matchesone of the postage parameters in the second set. The generation ofpostage evidence is inhibited when one the postage parameters in thefirst set does not match any of the postage parameters in the secondset.

DESCRIPTION OF THE DRAWINGS

The above and other objects and advantages of the present invention willbe apparent upon consideration of the following detailed description,taken in conjunction with accompanying drawings, in which like referencecharacters refer to like parts throughout, and in which:

FIG. 1 is a block diagram of a virtual postage metering system fordispensing postage embodying the principles of the present invention;

FIG. 2 is a bock diagram of the Data Center database server and securebox for the virtual postage metering system of FIG. 1;

FIG. 3 is a process flow for postage authorization and printing by apostage metering system; and

FIG. 4 is a flow chart for controlling a postage metering system inaccordance with the present invention.

BEST MODE OF CARRYING OUT THE INVENTION

The present invention is described as part of a virtual postage meteringsystem. However, the present invention is suitable for use in any openor closed postage metering system in which a user can define postageparameter vectors. For example, the present invention is suitable foruse in a PC metering system, such as described in U.S. Pat. No.5,625,694, which is hereby incorporated herein by reference in itsentirety.

In describing the present invention, reference is made to the drawings,wherein there is seen in FIG. 1, a virtual postage metering system,generally designated 10. The virtual postage metering system 10 includesa plurality (only one is shown) of personal computer (PC) systems,generally designated 20, each having access to a printer 22 for printingevidence of postage on an envelope. PC 20 is connected with atransaction processing Data Center 30 that performs postal accountingand evidencing of postage. The virtual postage metering system 10 allowseach mailer to use a conventional PC to remotely obtain evidence ofpostage payment on an as needed basis. Unlike conventional postagemetering systems, virtual postage metering system 10 does not includeany meter hardware located at the mailer's site. Nor are any postalfunds stored at the mailer's site. All metering and accounting of fundsoccur at Data Center 30 using functional software and database recordsrepresenting each mailer's “postage meter”, referred to herein as a“meter account”.

The accounting method for virtual postage metering system 10 may be aconventional prepayment or post-payment system. The preferred method isa prepayment method wherein each mailer is required to put a minimumamount of money into the mailer's virtual meter account. As accountfunds drop below a specific level a refill is charged against themailer's account. An alternate accounting method that is suitable for avirtual postage metering system is a real-time payment method in whichthe amount of a transaction is charged to a mailer's credit card accountwhen the transaction occurs. This method is referred to herein as a“trickle charge” postage payment, because the mailer does not pay forpostage for a mailpiece until the mailer is ready to print themailpiece.

In the virtual postage metering system, a “meter” vendor, such as PitneyBowes Inc., provides the mailer with client software that runs on PC 20,e.g., the client software may be downloaded from the vendor's Internetserver. Alternatively, the client software may be Internet browser-basedpages that provide mailer interactions with the Data Center 30. Themeter vendor also manages Data Center 30. The client software initiatescommunications with Data Center 30 which performs metering transactionsto evidence postage for single mailpieces or batches of mailpieces. Inthe preferred embodiment, the client software establishes a connectionto the Data Center, and requests postage by providing postal informationrelating to the requested transactions, such as postage amount,addressee information and (optionally) the origin of deposit for eachmailpiece. Data Center 30 receives the postal information, determinesthe origin ZIP for the mailpiece(s), performs accounting functions andgenerates an encrypted evidence of postage payment, such as a token ordigital signature, and sends indicium information including the token,to PC 20. PC 20 receives the indicium information, creates an indiciumbitmap, which can be displayed on a PC monitor (not shown) and printedon the mailpiece by printer 22. PC 20 then disconnects from Data Center30 or requests another transaction. The connection between PC 20 andData Center 30 may be through a Network Service Provider, such as on theInternet, or by direct dial using the PC's modem.

Virtual postage metering system 10 eliminates the need to maintain andaccount for traditional metering devices at each mailer's site andprovides flexibility for handling requests from multiple origins ofdeposit by each mailer. Virtual postage metering system 10 also providesvalue added services that are not available with conventional meterdevices, such as, real-time address hygiene, direct marketing servicesand trickle charge postage payment. Virtual postage metering system 10provides mailer authentication by Data Center 30 to identify mailerswith valid accounts. When a mailer has been authenticated for eachrequest, for example, by a username, password or other conventionalmethods, Data Center 30 services the request, and returns indiciuminformation to the PC 20 where the indicium is created and printed onthe mailpiece.

Referring again to FIG. 1, the mailer initiates a postage evidencingtransaction by running client software in PC 20, which contacts DataCenter 30. At Data Center 30, a Communication Server 32 supportsconnectivity from various communication technologies and protocols. TheCommunication Server merges all incoming traffic and routes it to aFunction Server 34, which includes application software that supportsmailer sign-on, postage dispensing and postal reporting. All mailer andmeter information is accessed from a Database Server 36 where theinformation is securely stored using secure cryptographic processes andprotocols as described below. Data Center 30 maintains cryptographickeys for each meter account in Database Server 36. The cryptographickeys are used for postage evidencing and verification as well as forsecurity of the records stored in Database Server 36. A Key ManagementSystem 38 administers all cryptographic keys used in virtual postagemetering system 10. The cryptographic keys may be distributed toverifiers in remote locations. U.S. Pat. No. 5,812,666, assigned to theassignee of the present invention, describes such a key managementsystem.

A mailer may establish a meter account through an on-line sign-upprocess with Data Center 30. During sign-up, the mailer enters, at PC20, account information, such as user name, password and method ofpayment. Any registration fees can be charged at this time. Data Center30, preferably administered by a meter vendor, such as Pitney BowesInc., arranges all meter licenses and agreements between its mailers andthe Post.

In the present invention, the PSD does not exist, i.e., there is nometering device coupled to the PC from which postage payment isrequested. Virtual postage metering system 10 replaces the accountingand metering functions of the PSD with metering software and maileraccount information performed and updated at Data Center 30. The virtualpostage metering system 10 provides each mailer with a metering systemthat has the capability of originating transactions from multipleorigins of deposit. See, for example, previously noted U.S. patentapplication Ser. No. 09/242,206.

Various methods can be used to determine the origin of deposit for arequested transaction. For example, a method for determining origin zipcode using a caller ID from a telephone call is disclosed in U.S. Pat.No. 5,943,658, assigned to the assignee of the present invention, whichis hereby incorporated in its entirety by reference.

In accordance with the present invention, one or more cryptographicmodules, referred to herein as secure “boxes”, are located within DataCenter 30 and are used to perform cryptographic processes. Each securebox is a secure, tamper-evident and tamper-responding device, includinga processor and memory, that stores encryption keys and performscryptographic operations using the keys within the secure boundary ofthe device. Data Center 30 includes several types of secure boxes, whichare described below. In the preferred embodiment, Data Center 30includes multiple boxes of each type for redundancy and performance.

Key Management System 38 includes a manufacturing box (not shown) thatprovides top-level keys used to generate random numbers for seeding eachof the other secure boxes. By sharing cryptographic keys (secret and/orpublic), the secure boxes communicate securely within Data Center 30.Key Management System 38 also includes a “steel” box (not shown) thatshares a common key with meter box 44 to encrypt/decrypt master tokenkeys for postage evidencing transactions for each meter account. Thesteel box merges a vendor key and a postal key into one record in ciphertext. For each meter account, Data Center 30 creates a logical meter,i.e. a meter record, in Database Server 36 by generating a token keyusing the vendor and postal keys, initializing meter registers(ascending and descending), meter freshness data (described below) andother postal information as part of the meter record, and then storingthe meter record in Database Server 36.

Data Center 30 also includes a meter box 44 that shares a secret keywith the steel box for decrypting the token key encrypted in the meterrecord. Meter box 44 also holds the key used for digital signature oftransaction records. The only other information stored in meter box 44is freshness data for each meter record processed by meter box 44. Foreach postage transaction, meter box 44 generates at least one digitaltoken or signs the postage transaction, and updates the meter recordcorresponding to the transaction. Each meter record in Database Server36 includes postal funds as well as the token keys in cipher text. Meterbox 44 uses the token keys to generate tokens, updates the postal fundsin the meter record, and signs the updated meter record. In this manner,meter box 44 performs and controls the secure accounting for eachtransaction. Meter box 44 can also be used to verify the token or thetransaction signature for verification of the postage evidencing for thetransaction.

Data Center 30 also includes an authentication box 40 that shares adifferent secret key with the steel box to decrypt a mailerauthentication key stored in cipher text in Database Server 36.Authentication box 40 also executes the authentication algorithms usingthe decrypted authentication key to authenticate a mailer.

Finally, Data Center 30 includes an transaction box 42 that sharesanother secret key with the steel box to sign mailer transaction recordsother than the meter records signed by meter box 44, such as logins andlogin history records. Transaction box 42 later verifies the transactionrecord signature when the next transaction is requested.

Referring now to FIG. 2, a configuration of Database Server 36,including a meter database 60, a mailer database 62 and a database ofmeter records 64, is shown. Meter database 60 comprises meterinformation associated for each meter account, such as, meter serialnumber, piece count of last mailpiece, ascending register, descendingregister and other postal values. Mailer database 62 comprises mailerinformation and information that associates a mailer with a meteraccount.

In operation, Communication Server 32 receives a request for a metertransaction from mailer PC 20. The application software in the FunctionServer 34 controls the processing of the transaction request. FunctionServer 34 accesses mailer database 62 and meter database 60 to obtainrecords, including the appropriate meter record 64, corresponding to themeter account of the mailer initiating the request. Function Server 34communicates mailer records from mailer database 62 to authenticationbox 40, which then authenticates the mailer requesting the transaction.Once the mailer has been authenticated, Function Server 34 communicatesthe appropriate meter record 64 to meter box 44, which verifies asignature and freshness data for the record. Meter box 44 decrypts theencrypted key(s) that are stored within meter record 64, performsaccounting functions on the ascending and descending registers in meterrecord 64, and uses the key(s) to generate a token for the requestedtransaction. Meter box 44 then generates data for an indicium, and againsigns meter record 64. The updated and signed record is then sent backto Database Server 36 where it is stored as part of meter database 60.

At Data Center 30, the authentication keys are not available in plaintext, but must be distributed to the mailer. Conventional methods ofdistributing and updating the authentication key for each mailer can beused. See, for example, previously noted U.S. Pat. No. 5,812,666, whichdescribes a key management system for distributing and updatingcryptographic keys to the secure boxes and the mailer's PC.

Postage metering systems equipped with digital printing utilize severalparameters for printing a digital Indicium. Referring now to FIG. 3, atypical process flow for postage authorization and printing is shown.The process includes operations occurring in four modules in the postagemetering system: a mail generator module 100, a rating module 110, anaccounting module 120 and an encryption module 130. The mail generatormodule 100 includes a list of addresses and a list of postal rateparameters. The rating module 110 includes the current rate table and arate table signature which authenticates the current rate table. Theaccounting module 120 includes an ascending register (AR), a descendingregister (DR) and a piece count. The encryption module 130 includespostal and vendor cryptographic keys, origin ZIP information and anidentification of the postage metering system (meter ID).

In virtual postage metering system 10, mail generator module 100 residesin PC 20 and the rating, accounting and encryption modules reside atData Center 30. The encryption module 130 resides in meter box 44, andthe accounting module 120 resides in part in meter box 44 (AR, DR andpiece count) and in Database Server 36 (accounting functions). Therating module 110 preferably resides in Database Server 36, however, therating module may reside in PC 20. In a PC metering system, theaccounting and encryption modules would reside in the PSD and the mailgenerator and rating modules would reside in the Host PC.

The following process is described for a postage evidencing transactionfor a single mailpiece. It will be understood that the process may alsobe used for postage evidencing transactions for a batch of mailpieces.

The process begins with mail generator module 100 initiating a requestfor postage. Prior to this request for postage, a user has selected (foreach mailpiece) a mailing address from the address list and entered ordefaulted to various rate parameters for a mailpiece. The rating module110 receives the request with the rate parameters, calculates postageamount and requests postage evidencing. It is noted that the user mayenter a postage amount, which could be one of the rate parameters inwhich case, the rating module would defer to the entered postage amount.The accounting module 120 approves the request for postage evidencing,subtracts the postage amount from the descending register, adds thepostage amount to the ascending register and increments the piece count.Once the accounting has been completed, the encryption process isenabled. The encryption module 130 performs the encryption functionusing the postal and vendor keys, origin ZIP received from mailgenerator module), meter ID, AR and DR and piece count (collectivelyreferred to as postal data). The encryption function, which is acryptographic transformation computation that utilizes, for example, asecret key to produce digital tokens/signatures, provides one or moredigital tokens or digital signatures of the previously noted postaldata. The postal data and digital tokens/signatures are collectivelyreferred to herein as indicium data. The mail generator receives theindicium data, optionally verifies that sufficient postage has been paidand prints the indicium.

In accordance with the present invention, several parameters must beentered into the system before the indicium can be printed. Theparameters define conditions and user entries that restrict postage frombeing dispensed and printed. For example, the following parameters aretypically needed to generate a digital indicium.

P₁=Date of submission

P₂=Weight classification

P₃=Mail classification

P₄=Oversize indicator

P₅=Special rating parameters

P₆=Destination postal code

P₇=Piece count

P₈=Postal code of originating post office

P₉=Identity of the user

In accordance with the present invention, a set of parameters P₁, P₂, .. . P_(n) can be described in combination as postage parameters vectors(PPV), which are used to effectively restrict printing of the indicium:

PPV=(P ₁ , P ₂ , P ₃ , . . . P _(n)).

Under the direction of a mailer's representative responsible for thepostage metering system, such as a system administrator, the postagemetering system is instructed not to print if vector PPV belongs to apredefined subset of the overall set of possible values for PPV. Forexample, if parameters P₁ to P_(n) belong to sets

P ₁ε(P ₁ ^(min) , P ₁ ^(max),), P ₂ε(P₂ ^(min) , P ₂ ^(max),), . . . P_(n)ε(P _(n) ^(min) , P _(n) ^(max),)

(where ε is the symbol indicates inclusion in a set) then the Cartesianproduct

((P ₁ ^(min) , P ₁ ^(max),)×(P ₂ ^(min) , P ₂ ^(max),)× . . . ×(P _(n)^(min) , P _(n) ^(max),)

(where P₁ ^(min), P₁ ^(max) are minimal and maximal values of theparameter P₁) represents the set T of all possible values for the vectorPPV, i.e. PPVεT.

In accordance with the present invention, the mailer defines a“forbidden zone”, i.e., a subset of T, such that values that belong tothis subset cannot be used to print postage. The subset of T can beformally defined as follows. For each parameter P₁ there can be a subsetF₁ of its range (P 1 ^(min), P₁ ^(max)) where the mailer does not allowprinting, for example,

F ₁ε(P ₁ ^(min) , P ₁ ^(max)).

F₁ may be 0 or any subset of (P₁ ^(min), P₁ ^(max)). Then the Cartesianproduct

F ₁ ×F ₂ × . . . ×F _(n) εT

represents the set of parameters where printing and accounting forpostage is not allowed. In mathematical terms, (F₁×F₂× . . . ×F_(n))defines a domain in multi-dimensional space. The present inventionchecks if a set of parameters is within or outside this domain.

Referring now to FIG. 4, an algorithm is shown for controlling a postagemetering system when a request for postage evidencing is made.

At step 200, a postage parameter vector is generated for a givenmailpiece based on parameters selected or entered by a user. At step210, the postage metering system determines if the postage parametervector includes any of the set of parameters for which printing andaccounting for postage is not allowed by checking the followingcondition:

PPV⊂F ₁ ×F ₂ × . . . ×F _(n).

If the condition is satisfied, then, at step 220, the accounting andprinting processes are inhibited. A message indicating that furtherprocessing has been inhibited is provided to the user. If the conditionis not satisfied at step 210, then, at step 230, the accounting andprinting processes are completed.

In an alternate embodiment of the present invention, (F₁×F₂× . . .×F_(n)) represents the set of parameters required for printing andaccounting for postage to occur. In the alternate embodiment, thepostage metering system determines if the postage parameter vectorincludes the set of required parameters by checking the followingcondition:

PPVεF ₁ ×F ₂ × . . . ×F _(n).

If the condition is satisfied, then the accounting and printingprocesses are completed. If the condition is not satisfied, then theaccounting and printing processes are inhibited and a message indicatingthat further processing has been inhibited is provided to the user.

For each meter account, there may be sets of allowed PPV's and domains(F₁, F₂, . . . F_(n)). In a mathematical sense, the present inventionchecks for a direct product of the sets, i.e., checks if any element ofF₁, any element of F₂ etc., is present in each PPV. The result will be avector that will only be valid if all the PPV elements belong to thesets. If no element in the PPVs belongs to, for example, F₁, then thevector will not be valid, i.e., the set of parameters will be outsidethe domain defined in multi-dimensional space. If the vector is withinthe domain the postage metering system proceeds with postage generation.

For example, if P₂>1 oz and P₆=06484 or 06485, the postage meteringsystem is blocked by the following set of not allowed parameters:

F ₂={1 oz+}

F ₆={06484, 06485}

F ₁ , F ₃ , . . . F _(n)=(P ₁ ^(min) , P ₁ ^(max))(P ₃ ^(min) , P ₃^(max)) . . . (P _(n) ^(min) , P _(n) ^(max)) without additionalrestrictions.

The present invention provides a party that is financially responsiblefor a postage metering system full control over access and use of thepostage metering system. A postage metering system that is accessible bymultiple users is subject to users intentionally or inadvertentlymisusing the postage metering system. For example, a company employeemay use the postage metering system for personal use, or a disgruntledemployee may overpay postage for mailed items. In accordance with thepresent invention, defining the postal rating parameters with only ratesallowed by postal regulations and by the party that is financiallyresponsible for the postage metering system, prevents such misusewhether intentional or inadvertent. Additionally, the systemadministrator may add additional parameters such as destination ZIP andorigin ZIP to provide further control. Furthermore, a postage meteringsystem having multiple users may have separate PPV's defined for eachuser. The PPV's are accessible only by the system administrator. Thisensures that operators do not know which parameters are being checked.

For example, a PPV can be defined with a parameter of ZIP 06484 that canbe posted only on Fridays, which may be the date of billing.Additionally, the rating parameters may prevent posting of an operatorentry of $ 3.20 instead of $ 0.32. Using piece count as a parameterallows the system administrator to control the volume of mail on adaily, weekly or monthly basis. The system administrator can update thePPVs as needed, for example, on a daily basis. When the postage meteringsystem determines for a particular transaction that a PPV does not checkout, the system provides a message back to the user to contact thesystem administrator.

The present invention is particularly useful for virtual postagemetering systems and network metering systems because typically there isno control over the physical access of the metering system.

The present invention is also suitable for use with closed meteringsystems. Although there are less parameters that can be defined for aclosed metering system, the present invention can be used to check forparameters that are available in a closed metering system. Closed systemparameters include rating parameters, lockout dates, postage value andeven user password. For example, a user may be allowed access only oncertain days.

When the postal service updates its regulations or postal rates, thePPV's may be updated automatically. For example, if the postal serviceprovides such updates on the Internet, the updates can be downloadeddirectly to the postage metering system to update PPV's. For virtualpostage metering systems and network metering systems, the system canautomatically log onto the appropriate postal service web page to updateparameters associated with discounts for particular mailing on aparticular day.

It will be understood that, although the embodiments of the presentinvention are described as postage metering systems, the presentinvention is applicable to any value metering system that includestransaction evidencing, such as monetary transactions, item transactionsand information transactions.

While the present invention has been disclosed and described withreference to embodiments thereof, it will be apparent, as noted above,that variations and modifications, such as using public keys instead ofprivate keys, may be made therein. It is, thus, intended in thefollowing claims to cover each variation and modification that fallswithin the true spirit and scope of the present invention.

What is claimed is:
 1. A method for controlling a postage meteringsystem, the method comprising the steps of: defining a first set ofpostage parameters associated with the generation of postage evidence ina postage metering system; initializing the postage metering system witha subset of the first set of postage parameters, said subset defining acombination of the postage parameters for which the generation ofpostage evidence is not authorized; receiving a request for postageevidence, said request including a second set of postage parameters;inhibiting the generation of postage evidence when at least one of thepostage parameters in the second set matches one of the postageparameters in the first set; and generating the requested postageevidence when none of the postage parameters in the second set matchesany of the postage parameters in the first set.
 2. The method of claim 1wherein the second set of postage parameters describes a postageparameter vector.
 3. The method of claim 2 comprising the further stepsof: defining the subset of the first set of postage parameters as adomain; and determining whether the postage parameter vector is withinthe domain.
 4. The method of claim 1 wherein the set of postageparameters includes rating parameters, destination postal codes, andorigin postal code.
 5. A method for controlling a postage meteringsystem, the method comprising the steps of: defining a first set ofpostage parameters associated with the generation of postage evidence ina postage metering system; initializing the postage metering system witha subset of the first set of postage parameters, said subset defining acombination of the postage parameters for which the generation ofpostage evidence is authorized; receiving a request for postageevidence, said request including a second set of postage parameters;generating the requested postage evidence when each of the postageparameters in the first set matches one of the postage parameters in thesecond set; and inhibiting the generation of postage evidence when oneof the postage parameters in the first set does not match any of thepostage parameters in the second set.
 6. The method of claim 5 whereinthe second set of postage parameters describes a postage parametervector.
 7. The method of claim 6 comprising the further steps of:defining the subset of the first set of postage parameters as a domain;and determining whether the postage parameter vector is within thedomain.
 8. The method of claim 5 wherein the set of postage parametersincludes rating parameters, destination postal codes, and origin postalcode.